arachni 0.4.3.2 → 0.4.4

data/modules/audit/sqli_blind_rdiff/payloads.txt

@@ -1,5 +1,5 @@
-%q% and %q%1
-%q%) and %q%1
-%q%)) and %q%1
-%q%))) and %q%1
-%q%)))) and %q%1
+%q% and %q%
+%q%) and %q%
+%q%)) and %q%
+%q%))) and %q%
+%q%)))) and %q%

data/modules/recon/grep/form_upload.rb

@@ -0,0 +1,61 @@
+=begin
+    Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
+
+# Looks for and logs forms with file inputs.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.1
+class Arachni::Modules::FileUpload < Arachni::Module::Base
+
+
+    def run
+        page.forms.each do |form|
+            next if form.raw.empty?
+
+            form.raw['input'].each do |input|
+                next if input['type'] != 'file'
+                log( match: form.to_html, element: Element::FORM )
+            end
+        end
+    end
+
+    def self.info
+        description = 'Logs upload forms which require manual testing.'
+        {
+            name:        'Form-based File Upload',
+            description: description,
+            elements:    [ Element::FORM ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.1',
+            targets:     %w(Generic),
+            references: {
+                'owasp.org' => 'https://www.owasp.org/index.php/Unrestricted_File_Upload'
+            },
+
+            issue:       {
+                name:        %q{Form-based File Upload},
+                cwe:         '200',
+                description: description,
+                tags:        %w(file upload),
+                severity:    Severity::INFORMATIONAL
+            },
+            max_issues: 25
+        }
+    end
+
+
+end

data/modules/recon/htaccess_limit.rb

@@ -17,13 +17,16 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.4
+# @version 0.1.5
 #
 class Arachni::Modules::Htaccess < Arachni::Module::Base
 
     def run
         return if page.code != 401
-        http.post( page.url ) { |res| check_and_log( res ) }
+
+        [:post, :head, :blah]. each do |m|
+            http.request( page.url, method: m ) { |res| check_and_log( res ) }
+        end
     end
 
     def check_and_log( res )
@@ -39,7 +42,7 @@ class Arachni::Modules::Htaccess < Arachni::Module::Base
                 GET requests but allows POST.},
             elements:    [ Element::SERVER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.4',
+            version:     '0.1.5',
             targets:     %w(Generic),
             references: {
                 'Apache.org' => 'http://httpd.apache.org/docs/2.2/mod/core.html#limit'

data/modules/recon/x_forwarded_for_access_restriction_bypass.rb

@@ -0,0 +1,55 @@
+=begin
+    Copyright 2010-2013 Tasos Laskos <tasos.laskos@gmail.com>
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
+
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+# @version 0.1
+class Arachni::Modules::XForwardedAccessRestrictionBypass < Arachni::Module::Base
+
+    def run
+        return if ![401, 403].include?( page.code )
+        http.get( page.url, headers: { 'X-Forwarded-For' => '127.0.0.1' } ) do |res|
+            check_and_log( res )
+        end
+    end
+
+    def check_and_log( res )
+        return if res.code != 200
+        log( { element: Element::SERVER }, res )
+        print_ok "Request was accepted: #{res.effective_url}"
+    end
+
+    def self.info
+        {
+            name:        'X-Forwarded-For Access Restriction Bypass',
+            description: %q{Retries denied requests with a X-Forwarded-For header
+                to trick the web application into thinking that the request originates
+                from localhost and checks whether the restrictions was bypassed.},
+            elements:    [ Element::SERVER ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.1',
+            targets:     %w(Generic),
+            issue:       {
+                name:        %q{Access restriction bypass via X-Forwarded-For},
+                description: %q{Access restrictions can be bypassed by tricking
+                    the web application into thinking that the request originated
+                    from localhost.},
+                tags:        %w(access restriction server bypass),
+                severity:    Severity::HIGH
+            }
+        }
+    end
+
+end

data/plugins/http_dicattack.rb

@@ -17,7 +17,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.2
+# @version 0.1.3
 #
 class Arachni::Plugins::HTTPDicattack < Arachni::Plugin::Base
 
@@ -52,12 +52,8 @@ class Arachni::Plugins::HTTPDicattack < Arachni::Plugin::Base
         print_status "Maximum number of requests to be transmitted: #{total_req}"
 
         @users.each do |user|
-            url.user = user
-
             @passwds.each do |pass|
-                url.password = pass.strip
-
-                http.get( url.to_s ).on_complete do |res|
+                http.get( url.to_s, username: user, password: pass ).on_complete do |res|
                     next if @found
 
                     print_status "Username: '#{user}' -- Password: '#{pass}'"
@@ -68,7 +64,8 @@ class Arachni::Plugins::HTTPDicattack < Arachni::Plugin::Base
                     print_ok "Found a match. Username: '#{user}' -- Password: '#{pass}'"
                     print_info "URL: #{res.effective_url}"
 
-                    framework.opts.url = res.effective_url
+                    framework.opts.http_username = user
+                    framework.opts.http_password = pass
 
                     # register our findings...
                     register_results( username: user, password: pass )
@@ -100,7 +97,7 @@ class Arachni::Plugins::HTTPDicattack < Arachni::Plugin::Base
                 framework-wide and used for the duration of the audit.
                 If that's not what you want set the crawler's link-count limit to "0".},
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.2',
+            version:     '0.1.3',
             options:     [
                 Options::Path.new( 'username_list', [true, 'File with a list of usernames (newline separated).'] ),
                 Options::Path.new( 'password_list', [true, 'File with a list of passwords (newline separated).'] )

data/plugins/redundant_vectors.rb

@@ -0,0 +1,34 @@
+class Arachni::Plugins::RedundantVectors < Arachni::Plugin::Base
+
+    def run
+        @filter = Arachni::Support::LookUp::HashSet.new
+
+        Arachni::Element::Capabilities::Auditable.skip_like do |element|
+            next false if element.altered.to_s.empty?
+
+            id = get_id( element )
+
+            if @filter.include? id
+                print_info "Skipping: #{element.altered}"
+                true
+            else
+                @filter << id
+                false
+            end
+        end
+    end
+
+    def get_id( element )
+        "#{element.auditor.class}:#{element.altered}"
+    end
+
+    def self.info
+        {
+            name:        'Redundant vectors',
+            description: %q{Prevents vectors with the same name from being audited more than once.},
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.1'
+        }
+    end
+
+end

data/reports/html/default/issues.erb

@@ -15,9 +15,9 @@
                         These issues are considered trusted and fairly accurate.
                     </blockquote>
 
-                    <% if !filtered_hashes.empty? %>
+                    <% if filtered_hashes.any? %>
                         <% auditstore.issues.each_with_index do |issue, i|%>
-                            <% next if !filtered_hashes.include?( issue._hash ) %>
+                            <% next if issue.untrusted? %>
 
                             <%= erb :issue, { :idx => i+1, :issue => issue, :crypto_issues => crypto_issues } %>
                         <% end %>
@@ -37,27 +37,12 @@
                         The listed issues need verification by a human.
                     </blockquote>
 
-                    <% if !anomalous_hashes.empty? %>
-                        <div id="untrusted-tabs">
-                            <ul>
-                                <% anomalous_meta_results.each_pair do |name, data|%>
-                                    <li><a href="#<%=name%>"><%=data[:name]%></a></li>
-                                <% end %>
-                            </ul>
-
-
-                            <% anomalous_meta_results.each_pair do |name, data|%>
-                            <div id="<%=name%>">
-                                <h3>Component description:</h3>
-                                <blockquote> <%=data[:description]%> </blockquote>
-                                <br/>
-                                <% data[:results].each do |issue| %>
-                                    <%= format_issue( issue['hash'] ) %>
-                                <% end %>
-                            </div>
-                            <% end %>
+                    <% if anomalous_hashes.any? %>
+                        <% auditstore.issues.each_with_index do |issue, i|%>
+                            <% next if issue.trusted? %>
 
-                        </div>
+                            <%= erb :issue, { :idx => i+1, :issue => issue, :crypto_issues => crypto_issues } %>
+                        <% end %>
                     <% else %>
                         <p class="notice">No untrusted issues have been logged.</p>
                     <% end %>

data/reports/stdout.rb

@@ -23,7 +23,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.2.3
+# @version 0.2.4
 #
 class Arachni::Reports::Stdout < Arachni::Report::Base
 
@@ -159,7 +159,7 @@ class Arachni::Reports::Stdout < Arachni::Report::Base
             name:        'Stdout',
             description: %q{Prints the results to standard output.},
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.2.3'
+            version:     '0.2.4'
         }
     end
 
@@ -172,7 +172,7 @@ class Arachni::Reports::Stdout < Arachni::Report::Base
             print_info "Variation #{i+1}:"
             print_info "URL: #{var['url']}"
             print_info "ID:  #{var['id']}"                          if var['id']
-            print_info "Injected value:     #{var['injected']}"     if var['injected']
+            print_info "Injected value:     #{var['injected'].inspect}"     if var['injected']
             print_info "Regular expression: #{var['regexp']}"       if var['regexp']
             print_info "Matched string:     #{var['regexp_match']}" if var['regexp_match']
 

data/spec/arachni/element/capabilities/auditable/rdiff_spec.rb

@@ -10,8 +10,9 @@ describe Arachni::Element::Capabilities::Auditable::RDiff do
     describe '#rdiff_analysis' do
         before do
             @opts = {
-                faults: ['bad'],
-                bools:  ['good']
+                pairs: [
+                    { 'good' => 'bad '}
+                ]
             }
             @params = { 'rdiff' => 'blah' }
             issues.clear

data/spec/arachni/http_spec.rb

@@ -75,7 +75,6 @@ describe Arachni::HTTP do
         end
     end
 
-
     describe 'Arachni::Options#url' do
         context 'when the target URL includes auth credentials' do
             it 'uses them globally' do
@@ -101,6 +100,33 @@ describe Arachni::HTTP do
         end
     end
 
+    describe 'Arachni::Options#http_username and Arachni::Options#http_password' do
+        it 'uses them globally' do
+            url = web_server_url_for( :http_auth )
+            @opts.url = url.to_s
+
+            Arachni::Options.http_username = 'username1'
+            Arachni::Options.http_password = 'password1'
+            @http.reset
+
+            # first fail to make sure that our test server is actually working properly
+            code = 0
+            @http.get( @opts.url + 'auth' ) { |res| code = res.code }
+            @http.run
+            code.should == 401
+
+            Arachni::Options.http_username = 'username'
+            Arachni::Options.http_password = 'password'
+            @http.reset
+
+            response = nil
+            @http.get( @opts.url + 'auth' ) { |res| response = res }
+            @http.run
+            response.code.should == 200
+            response.body.should == 'authenticated!'
+        end
+    end
+
     describe 'Arachni::Options#user_agent' do
         it 'uses the default user-agent setting' do
             body = nil

data/spec/modules/audit/path_traversal_spec.rb

@@ -13,8 +13,8 @@ describe name_from_filename do
 
     def issue_count_per_target
         {
-            unix:    8,
-            windows: 24,
+            unix:    64,
+            windows: 96,
             tomcat:  12
         }
     end

data/spec/modules/audit/rfi_spec.rb

@@ -12,7 +12,7 @@ describe name_from_filename do
     end
 
     def issue_count
-        8
+        12
     end
 
     easy_test

data/spec/modules/audit/source_code_disclosure_spec.rb

@@ -0,0 +1,24 @@
+require 'spec_helper'
+
+describe name_from_filename do
+    include_examples 'module'
+
+    def self.targets
+        %w(PHP JSP ASP)
+    end
+
+    def self.elements
+        [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ]
+    end
+
+    def issue_count_per_element
+        {
+            Element::FORM => 2,
+            Element::LINK => 4,
+            Element::COOKIE => 1,
+            Element::HEADER => 2
+        }
+    end
+
+    easy_test
+end

data/spec/modules/recon/grep/form_upload_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+describe name_from_filename do
+    include_examples 'module'
+
+    def self.targets
+        %w(Generic)
+    end
+
+    def self.elements
+        [ Element::FORM ]
+    end
+
+    def issue_count
+        1
+    end
+
+    easy_test
+end

data/spec/modules/recon/x_forwarded_for_access_restriction_bypass_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+describe name_from_filename do
+    include_examples 'module'
+
+    def self.targets
+        %w(Generic)
+    end
+
+    def self.elements
+        [ Element::SERVER ]
+    end
+
+    def issue_count
+        2
+    end
+
+    easy_test
+end